Malicious `lightning` PyPI releases steal credentials on import

TL;DR - lightning versions 2.6.2 and 2.6.3 on PyPI execute obfuscated JavaScript the moment you import lightning. The payload harvests tokens and cloud credentials, abuses the GitHub API to commit stolen data into your repositories, and attempts to infect your npm tarballs on the way out.

What happened

lightning is Lightning-AI's Python package, widely used in ML training and deployment stacks. Socket Research found that PyPI releases 2.6.2 and 2.6.3 were compromised and deliver credential-stealing malware at import time.

The attack chain is deliberate and layered. A hidden _runtime directory contains a Python loader (start.py) that downloads Bun - a JavaScript runtime - directly from GitHub, then executes an obfuscated 11 MB payload (router_runtime.js). The whole thing runs in a daemon thread with suppressed output, triggered automatically when your code does import lightning. Nothing visible. Nothing logged.

The payload does three things. First, it harvests tokens and secrets from environment variables. Second, it abuses the GitHub API to commit encoded exfiltrated data into repositories using any stolen tokens it finds. Third - and this is the part that escalates severity - it attempts to infect developer npm package tarballs. A Python dependency compromise that reaches into your JavaScript ecosystem is a different category of problem.

Socket also noted suspicious behaviour around the Lightning-AI GitHub org during their investigation: issues being closed rapidly after disclosure attempts, and short-lived branch create/delete patterns. They assess this as consistent with a compromised maintainer account, though the full scope of that access remains unconfirmed.

Who is impacted

• Any developer machine, CI runner, or production environment that installed and then imported [email protected] or [email protected].
• Teams running lightning in CI pipelines where GitHub tokens, cloud credentials, or other high-value secrets live in environment variables.
• Organisations where developer workstations have write access to source repositories or hold publish credentials for package registries.

What to do now

• Remove the malicious versions immediately.

  "Socket recommends blocking lightning versions 2.6.2 and 2.6.3 immediately."

• Treat every environment that imported either version as compromised - don't just uninstall and move on.

  "Any environment that installed and imported either version should be treated as compromised."

• Pin to the last known clean release while you wait for maintainer confirmation.

  "Downgrade to the last known clean version, 2.6.1, or wait for confirmation from the maintainers before upgrading."

• Rotate all credentials that were present in affected environments: GitHub tokens, registry tokens, cloud credentials, and any secrets stored in environment variables.
• Review repositories accessible via those tokens for unexpected commits or suspicious encoded content.
• Audit CI/CD logs and developer machines where the package may have been imported. Look for follow-on persistence: new automation artifacts, unexpected repo modifications, or unfamiliar workflow changes.
• If your developers maintain npm packages, inspect recent tarballs for unexpected modifications before publishing.

Why this matters for AppSec

This is the supply chain threat pattern you need to be planning for right now: install- or import-time execution, silent credential harvesting, repo poisoning to spread laterally, and cross-ecosystem infection vectors that turn a single compromised Python package into a JavaScript supply chain risk.

A few things worth internalising:

1. Import-time execution is a powerful attack surface. Python's import system runs arbitrary code. A compromised dependency doesn't need a postinstall hook - it just needs to be imported.
2. Environment variables are the target. CI runners are attractive precisely because they concentrate credentials. Scope what secrets are actually present in the environments where lightning runs.
3. Cross-ecosystem reach changes your blast radius. If the payload succeeds in modifying npm tarballs, your Python compromise becomes a JavaScript one. Treat both ecosystems as potentially affected.
4. Repo poisoning is persistence. Commits made with stolen tokens survive the initial incident. Review git history and audit any automation that has push access.